Computer vigilantes: Breaking the law by hitting back at hackers?

Even if you are a victim of computer crime, you don't want to end up in court for taking the law into your own hands against hackers.

The desire to strike back is completely understandable and the suggestion that citizens should be entitled to retaliate may even sound reasonable. Photo: Shutterstock

Cybercrime250x225.jpg

I've noticed a number of threads in discussions forums suggesting that citizens should turn the tables on hackers. One of the more extreme examples even went so far as to suggest that citizens should be armed with the means to strike back at criminals.

At the start of the millennium, when the internet and ecommerce were seen as being in their infancy, it was common for commentators to talk about a lack of regulation and to compare the internet to the Wild West.

In reality, the internet and ecommerce are both heavily regulated. Most of the real-world rules and regulations, including contractual provisions, did and do apply equally well in an online relationship as they do off-line.

These regulations have also been supplemented subsequently by new rules that have been designed specifically for the internet.

The problem with crime is that it perpetrated by people who are happy to disregard the law. It's in their job description. The advantage of the internet for the criminal is that crime can be conducted anonymously and from a foreign jurisdiction, both of which make it a low-risk activity.

Additionally, it can never have been so easy to industrialise the processes of committing some of these crimes: why rob one person when you can rob millions simultaneously?

Multiple hacking offences

Hackers are motivated by many reasons but what they all have in common is that they are committing crime. This fact may come as a surprise to those hackers who are doing it for fun or curiosity or for other less malevolent reasons. However, in the UK the Computer Misuse Act 1990, which has been updated multiple times, creates a number of offences that cover their activities.

The reason we are not seeing more convictions is an issue of capacity. The law enforcement agencies have limited resources, which is not helped when large companies keep poaching their well-trained staff. The crime-fighters are therefore focused on the priority events where they are most likely to secure a prosecution.

Furthermore, their agenda in investigating computer crime and gathering evidence for a prosecution works on a different timescale to the needs of most businesses when faced with DDOS attacks or shutting down APTs. This difference is frustrating for businesses that have sought to use the criminal law as a solution to being attacked.

The desire to strike back is completely understandable and the suggestion that citizens should be entitled to retaliate may even sound reasonable.

However, to fight back risks breaking the law. The Computer Misuse Act, for example, does not take into consideration the motive behind the criminal activity. Anyway, who do you conduct a retaliatory attack against when the crime was probably perpetrated using a botnet?

Disclosing the hacker's identity

This issue highlights the dilemma of the ISPs. They are contractually bound to protect the privacy of their customers. Otherwise they might be willing to disclose the identity of the attacker.

Identity disclosure creates two risks for the ISP. Contractual breach and a regulatory breach. I doubt a hacker would wish to bring a claim for breach of contract but he or she might be willing to tip off the regulators and the regulatory risk is more problematic.

This situation seems negative but the law can be used legitimately to conduct a proactive defence. The issue is one of cost and motivation on the part of the claimant.

It is quite likely that the hacker will not have the financial means to satisfy a successful claim and therefore the claimant will be left bearing the costs of the action and should not expect to receive compensation for its loss. However, if the aim of the claim is to disrupt and deter attacks, then this may be sufficient reward in itself.

Furthermore, using the same rationale that drives many intellectual property claims, setting out to obtain a reputation that your business will pursue infringements can pay dividends.

Increasing the risk to the criminal will deflect attacks onto softer targets, reducing the cost of disruption. The threat of being labelled as a criminal may also deter more casual hackers, who may not have fully appreciated the seriousness of their actions.

Sign up for TechRepublic's CIO Insights newsletter!

About Stewart James

Stewart James is a partner in the technology, media and commercial group at law firm DLA Piper's Leeds, UK, office. His areas of expertise include outsourcing and retendering, business process re-engineering, information assurance, data protection, a...

Full Bio

Stewart James is a partner in the technology, media and commercial group at law firm DLA Piper's Leeds, UK, office. His areas of expertise include outsourcing and retendering, business process re-engineering, information assurance, data protection, and intellectual property issues.

Who cares about the law? They don't have one thing to do with it. We are dealing with idiots in West Africa who purchased expensive software to trick us into supporting terror and the rest are rogue countries like North Korea hell bent on destroying themselves when they finally do something stupid enough to piss us off. Do dummies that send them money make the connection when a squad of our troops get blown to bits two weeks later? Doubt it, because they fell for it in the first place.

If you were able to actually identify and attack real genuine "hackers", legal retaliation is not really anything to worry about. Will they travel to your country to take legal action, knowing it would merely expose them to a countersuit for the initial attack? Not at all.
Should you find yourself in a position of actually identifying a real attacker, hack away. They will be able to do nothing about it. Should they try, bury them in legal costs.

Hackers vs. Crackers. Well, crackers are tasty but often best with cheese. A better term is white hat vs. black hat, that way you're not defining the actions they take but instead the intent behind them. There is a lot of overlap in what they do in practice, so just the intent of why they're doing it should be looked at.

Oh is this getting to be a mess. Hackers could argue that they are 'Paladin' righting the wrongs of the 'Hackees'. And those who have been 'hacked' probably feel morally and ethically justified in seeking revenge on the 'hacker(s). Is this kinda like a bank robber having his loot picked out of his pocket? Or a ponzi-schemers' wife withholding a 12 caret diamond?

If a hacker did put up the US Seal with unproven criminal accusations ... Lets think again if this is justice or vigilante behavior by government officials. ... when did the government every worry about breaking any law?

The problem with goign after hackers is most disgruntled victims would shoot at the first face to show up in their search; whereas most hackers are going to be several layers down in the puckerbrush where they can't be seen without a thorough investigation. 99% of your vigilantees would therefore be attaching, damaging and injuring innocent victims; which is why most computer vigilantees are criminals themselves.

In definition a "Hacker" in the world of Techs are those who are Computer Geeks who repair your machines. The term Geek is sometimes considered to be politically incorrect today so thus the term Hacker is more commonly used. The term "Cracker" is used to depict those who use their knowledge to crack into either Domains or other machines to gain information or items without cost. The keygen used to activate items is called a "Crack" and to break into another machine in called IP cracking hence the name Cracker . To say that we the normal citizan has every right to hit back although may seem rational is indeed not the right thing to do. Add fuel to a fire and guess what ? Boom! If they didn't get the press or publicity they would soon get bored and fine soccer more fun. It's the look at me syndrome thats the candy.

also, some groups if not many,hides doubtful activities. when they are hacked, they are afraid also of the data known=black mailed by hackers then ? in such cases, hackers also seemed like heroes by themselves. exposing anything, hack for good, or hack for bad. let the people vote.

ive heard that if you are a hacker, you know or have higher intellects on computers or relevants. and some of my colleagues cited that if you are that tough, companies or somebody wants you... swordfish

I found a website named scammerspammer.com and you can put in the email address of a spammer and they will bomb that email address with a thousand emails. I emailed the site owner to ask if he was aware of repercussions that could come upon him, but he said that in most cases, spammers are requesting contact, so he feels that he is covered legally. (He is in Canada.) Problem was, I had so many spammers addresses, that shortly after I talked to the guy, I got banned for putting too many in!
On a side note, many spammers want to sort their emails, so they always ask for you to put something specific in the "Subject" line. There is an entry for that, also, so that the person will at least be slightly inconvenienced going through some useless emails.
There is also a site out there called 419eater.com and the guy has done what the early letters mentioned. He puts the scammers through many hoops and has the FUNNIEST stories of the things he has put them through. The story about him making the guy carve the Simpsons on their couch was one of the early ones, and it is HILARIOUS!! Check out both sites if you can.

Although spam is annoying, I don't believe it's on the same level as intentionally trying to compromise a system that doesn't belong to you (true hacking).
The internet includes governments that will turn a blind eye and even sponsor these activities so long as the attacks are against other countries. Yes China, I'm talking about you. With governments reaping only benefits from hacking activities (i.e. revenue, information, etc), there is little to no incentive to penalize the activity unless you hack your own country.

Maybe you should look through all the definition of hackers before saying "Hackers are motivated by many reasons but what they all have in common is that they are committing crime". All your doing is giving all hackers a bad name just because a few commit crime and break the law doesn't mean all of them do. By the way hackers that commit crime are often considers "Crackers" not "Hackers" at-least from what i have read.

If you are going to play with the spammers, never use a legitimate email. You always go get a 123xxyyzz@hotmail or gmail just like they do before you send your reply. Who cares if they spam the heck out of a dummy email box. Just helps msn, google, yahoo refine their ability to identify spammers.

On the occasions when I've strung them along, I receive many MORE spam invites (I guess from all their regal relatives). I've never had one suggest I was yanking their chain -- they are always willing to provide more "documentation" that they are legit (like photos of a pile of gold, etc.). I never imply they are frauds -- I just act naive/dumb ("oops, I must have transposed the numbers on my credit card..." etc.).

The whole premise of 'striking back' at hackers is a bit absurd.
First of all, the vast majority of attacks are automated...malware infected bots who simply exploit any and all weak targets. Thus there is nothing to attack, per-se.
Second, unless you have unlimited time and money, and the ability to travel the globe at no cost on a moment's notice, your ability to strike-back at anything is rather limited. In theory, if you found the IP address of the Chinese kid who stole your credit card number, are you really going to fly there and do what, exactly?
Even in high profile cases, if the attacker is in a country where the same laws, prosecution processes, or even extradition treaties don't apply, it's impossible to prosecute someone in another country where no crime has occurred, and in some cases the hack itself may have been state-sponsored, so good luck with that.
And last but not least, the level of tech skills to even 'play on that field' are well beyond most IT people I know. There was a case years ago where Steve Gibson, president of Gibson Research (makers of the SpinRite Disk software) was being hacked and he 'hacked the hackers' and basically asked them politely to stop (and they did). But I would suggest that his level of expertise is waaaaay beyond most folks and his attackers were fairly easy to track down.
crime-research DOT org/library/grcdos.pdf
I won't mention the catch-22 that if someone has good IT security knowledge they would be less likely to get hacked in the first case. So those who are hacked are not as likely to be code-ninjas in the first place.

Where does one cross the line and your actions become an "attack" on a possible perpetrator? To start, you could ping an offending IP, to see if it's real or spoofed. You can traceroute of course. Then there's passive, or mildly active scanning for ports, OS type etc. (nmap)
I imagine beyond that, eg looking for something with nessus or metasploit, would be over the line. But what about ping? Would some 'authority' somewhere fault me for pinging another IP on the internet?
BTW on a few occasions simply pinging the address made the unsolicited traffic stop. I imagine some script-kiddie somewhere seeing that coming back from a server they're trying to crack and thinking they've been discovered. Unsophisticated (unskilled?) types might just move on to the next target.
Anyone else ever see incoming traffic stop after poking back with a ping or similar?
BTW I've never thought to reply to spam to string them along, looks like it could be entertaining. I'm curious: after the original spammer figures out you're yanking their chain, do the other sources that grew out of your response dry up too? I'd hate to have my email sold to every joker on the planet.

I too offerred a meeting with an imprisoned General's wife from Zambonia. I listed a set of strict conditions, of which the principal one was that she be naked when she approached so I could see any weapons.She declined to accept my conditions, but it occupied the group of guys who were perpetrating the scheme for awhile. Of course, they say most of these schemes are originating out of the US.

I've found much delight in replying to email "opportunities" from the son of the Premier of Zambonia or the widow of the King of Zantolia by expressing a strong desire to work with them, and offering to meet with them in person on my next trip to Africa (which happens to always be in a few days). I can feel the spammer/scammer on the other end of the email drooling, and they always politely decline an in-person visit. And suddenly, my inbox is filled with more spam from all their spambuddies.
I regret to be filling the internet w/more spam (I string them on as long as I can), but I hope my efforts keep them from snagging a few naive/unsuspecting victims in the process. Perhaps if we ALL played along with them they'd be overwhelmed and quit.

Years ago I discovered a trojan application had compromised one of my PCs.
I isolated the machine from the network and did some packet sniffing.
I had the IP address that was connecting, and even tracked it down (via a bit of CyberCrime investigation skills) to a teenage guy in Texas, and I even found his photo and his location within a couple of blocks.
After doing more digging, I found that the trojan attack was engineered so that one infected computer reaches out and infects other computers. So the guy in Texas was no 'hacker', he was just some dude with a computer virus.
Just as the issue of misguided vigilantes in real-life is problematic, even more so in cyberspace.

The serious crackers are in it for the money and what they can steal, and they never want you to know that they exist (especially on your system).
As for terminology, please understand that those who are not deeply in the technical realm do not understand the subtle difference between Hacker and Cracker any more than they know a virus from a trojan. In our office, no matter what sort of malware we're talking about, it's a virus to everyone else!

So let's say you got hacked because you left your unpatched Windows server running Remote Desktop with a weak password (triple duhhhhh).
So then you're going to be able to find, exploit, and attack somebody halfway around the globe whose full-time-job is breaking into other people's computers? Right, good luck with that.
Someone who is even moderately skilled as an attacker takes steps to conceal/obscure their identity as well as not leave wide-open security vulnerabilities open on their systems.
Arguably there is no harder target than the machine of a so-called hacker.
Think about it, if they are breaking the law in a big way, the slightest security weakness could land them in a very unhackable jail cell.

but history proves this to be a futile endeavor; just like when Henry Deringer fought the whole industry for using his name - but it was a fruitless waste of legal battles, because "Derringer" had become a house hold term for anything small in the concealable weapons market.

that the thought of striking back at the bot net is absurd; but the way I read this article, I got the message that the author new this. However, if I were the business under attack, I'd have little sympathy for PC users that can't keep their machines clean!
I noticed after the FBI substitute servers went offline after the conclusion of the DNSchanger debacle, there was not even a peep of protest from folks who never got rid of the infection. I doubt there would be much of a reaction shutting down many bot nets, because the users of those machines are so clueless, they would never bother to investigate the cause; if they even cared, they wouldn't be 'botted' in the first place - would they? :)

It would be nice if there were some way to attack their command and control server space; but then, that is pretty difficult to determine(the FBI is lucky to find them occasionally). I do see on Brian Krebs discussions, that some of them can be discovered, but it is a hit or miss proposition, and the server that can be found, may not be the target of the original investigation. At least it would be fun to "get even" though, even if it isn't the specific criminal of interest! ]:)

Probably not the best thing to do, all you are really doing is verifying your address on a 419 mailing list which will then be passed on to other phishers. Sure you are wasting these peoples time but they are probably smart enough to pick up on what you are doing.

actions to run interference for clients asking if web offers are legit. They never are, or course, no matter how legit they look, or what a Google search shows; so I use my Hotmail account as bait, and simply let Microsoft filter out all the spam. It has been very effective for me, I only get maybe one or two spam emails a day. I always mark them as spam/phishing and MS does the rest! ]:)

Crackers only communicate through their "minions"; which would be the bot-net, and only issue orders to the net through command and control servers. These servers are very hard to find, and usually only last 3 months at maximum, and usually less; sometimes several of these CAC servers are operating at one time, and randomly shift from one IP to another. Although the hosters of these servers are not usually aware of this "customer", they are typically hosters of ill repute, or just plain negligent organizations. Unless the FBI comes knocking, they will not entertain complaints. I once tried to contact one of these hosting services about a criminal that tried to buy server space with my money(I recovered the funds); but it turned out the physical address was fake(of course), and the people in the building listed never heard of the site(of course), and they were interested to know that someone was faking their location, because they were actually a legit hosting provider, and didn't want their name besmirched. It turns out the CIO of that ISP was involved in rooting out criminals in several of their services, and the cracker will get even by listing their locations, just to sully their name. The back and forth of this hide and seek game can be very entertaining for anyone who takes it upon themselves to be a cyber-warrior against web-crime, but you definitely have to know your enemy, and the chameleon ways they can hide behind the woodwork.

although they exploit our weaknesses, they are themselves very careless. I suppose it is their personality to feel invincible and blatant. But they use very bad practices on their CAC server security, and post obvious tracks on forums that point to themselves like a red flag! If anyone was seriously trying to fix the problem, world wide; it would be over very quickly - until they got out of jail with the new knowledge that they are not bullet proof after all!